Re: Signed Email WebID

On 7/16/12 6:11 PM, Nathan wrote:
> Kingsley Idehen wrote:
>> On 7/16/12 5:49 PM, Nathan wrote:
>>> Kingsley Idehen wrote:
>>>> On 7/16/12 5:26 PM, Nathan wrote:
>>>>> Kingsley Idehen wrote:
>>>>>> On 7/16/12 4:42 PM, Nathan wrote:
>>>>>>> Jürgen Jakobitsch wrote:
>>>>>>>> how can i (as a normal user) create a certificate that is trusted
>>>>>>>> by a common ca authority with a webID.
>>>>>>>
>>>>>>> It's a great question without an easy answer.
>>>>>>>
>>>>>>> theoretically it should be a case of configuring openssl using 
>>>>>>> openssl.conf in the usual round-about god awful way to get a 
>>>>>>> subjectAltName in there, then submit the generated CSR to get it 
>>>>>>> signed by a well known CA.
>>>>>>>
>>>>>>> I've only self signed so far and not tested the CA bit, however 
>>>>>>> I know people have been doing it for years with certificate with 
>>>>>>> subjectAltName values in there, for LDAP - so rather sure it'll 
>>>>>>> work as expected.
>>>>>>>
>>>>>>>> or the other way round : i have a valid (from a ca authority) 
>>>>>>>> certificate how do i get a webID in there..
>>>>>>>
>>>>>>> You can't - requires a new cert.
>>>>>>>
>>>>>>>> the problem comes to light, when you sign your emails with a 
>>>>>>>> certificate
>>>>>>>> created with any of the webID generators and most clients will 
>>>>>>>> say that this signature is not valid.
>>>>>>>> i only have evolution and thunderbird at hand, but i assume the 
>>>>>>>> outlook and co. will also complain.
>>>>>>>>
>>>>>>>> i'd really like to sign my mails and have absolutely no problem 
>>>>>>>> with it, but
>>>>>>>> i'm not gonna do it, when i must assume that 90% of the 
>>>>>>>> recipients see some sort
>>>>>>>> of warning, that i'm sending untrusted mails...
>>>>>>>
>>>>>>> I share and understand your concerns, WebID is an awesome 
>>>>>>> concept, but the practicalities of dealing with certs are a 
>>>>>>> *major* put off, mine expired ages ago and I know that any 
>>>>>>> attempt to re-issue it, with the same keys no less (as I use 
>>>>>>> them for git/svn/scp etc) is going to be a complete nightmare. 
>>>>>>> Thus I use an expired cert for git/svn/scp which still works on 
>>>>>>> linux, but I can't use webid any more until I fix it and jump 
>>>>>>> through a few hoops to reissue.
>>>>>>>
>>>>>>> Shame, as WebID - at an abstract level, doesn't even need 
>>>>>>> certificates, it just needs a public/private keypair and a way 
>>>>>>> to pass the webid over.
>>>>>>>
>>>>>>> Regardless, if you want to persist, I'm sure you can get this 
>>>>>>> working with a new CA signed cert :)
>>>>>>>
>>>>>>> Best,
>>>>>>>
>>>>>>> Nathan
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Nathan,
>>>>>>
>>>>>> Why do you need a single Certificate for anything? How about 
>>>>>> having a certificate aligned to specific activities e.g., signed 
>>>>>> email via s/mime protocol? Thus, in this case you just generate a 
>>>>>> new cert that's specifically for email.
>>>>>>
>>>>>> WebID can't stand on its own during the early stages, it has to 
>>>>>> be hooked into existing protocols like S/MIME, OpenID, LDAP etc. 
>>>>>> to cost-effectively acquire both mindshare and appreciation. Of 
>>>>>> course, if it all pans out, the reality of keypairs will become 
>>>>>> even clearer and some of today's fluff will become much more 
>>>>>> optional. For today, we've gotta hone into bootstrap hacks and 
>>>>>> mechanics :-)
>>>>>
>>>>> Just personal preference to have a single certificate (although my 
>>>>> true preference is to have keys detached from certificates) - but 
>>>>> you raise good points as always, there's no reason for me (us) not 
>>>>> to have multiple certificates, especially if it helps with dog 
>>>>> fooding and getting this show on the road.
>>>>>
>>>>> Best, Nathan
>>>>>
>>>>>
>>>>>
>>>>
>>>> Yes, and it also addresses the Peter Parker and Spiderman identity 
>>>> conundrum .
>>>>
>>>> We carry many cards in our wallets already, so why not many WebID 
>>>> watermarked certs too :-)
>>>>
>>>> BTW -- did you try the social relationship ACL I setup re. one on 
>>>> my SPARQL endpoints? Its driven by SPARQL ASK. s
>>>>
>>>
>>> Ahh I kept getting notifications from an ODS briefcase of yours, is 
>>> that what it was? (will need to get new cert(s) before I do)
>>>
>>>
>>>
>>
>> You get a notice anytime I share a resource for the foaf:Group of 
>> your WebID is a member.
>>
>> Re. SPARQL endpoint test, you just need a WebID that resolves to a 
>> graph that has one of the requisite foaf:knows based social 
>> relationships. In this case, knowing one of:  TimBL, Henry, Melvin, 
>> Jurgen, or I will suffice. Basically, as folks respond to the test, I 
>> add them to the list of WebIDs that should be objects of foaf:knows 
>> relationships.
>
> link?
>
>
My posts are at:

1. http://bit.ly/NmGbMZ -- *Using Social Relationship Semantics & WebID 
to Drive Resource Access Control*
2. http://bit.ly/M7hd4T -- ditto, with the addition of foaf:knows TimBL 
and others to the social relationship based ACLs.

-- 

Regards,

Kingsley Idehen 
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen